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Globalization  brings  challenges 


r 


Private  Sector  Scenario 

Planned  Delivery 


System  Delivery  Example  - 


$7,474,793.00  -  85'  custom-built 
motor  yacht  (4  state  rooms,  State-of- 
the-art  galley,  GPS  System,  Radar  for 
navigation,  Twin  supercharged  diesel 
engines) 


•  Celebration  ($1500.00) 

•  Champagne 

•  Chocolate  covered  strawberries  with 
cream 

•  Music  dockside  for  the  excited  'soon  to 
be  owner'  and  a  small  group  of  his 
friends 

•  Logistics 

•  Two  corporate  representatives 

•  Crane 

•  Rigging  $2,500.00  a  hour  minimum 


Courtesy  of  Don  Davidson,  OSD  TMSN  , Chief  of  Outreach  and  Standardization 


System  Delivery  Example  -  Private  Sector  (continued) 


►  Critical  Component  in  the  rigging 
contained  a  faulty  $25.00  dollar 
turnbuckle. 


Courtesy  of  Don  Davidson,  OSD  TMSN  .Chief  of  Outreach  and  Standardization 
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►  Globalization  Challenges 


►  Understanding  The  Problem 


►  DOD  Tool  Box  for  SCRM 


►  Working  Towards  A  Solution 


From  The  World  Is  Flat  by  Thomas  Friedman 

Dell  Inspiron  600m  Notebook:  Key  Components  and  Suppliers 


Component 

Supplier  or  Potential  Suppliers 

Intel 

Microprocessor 

US-owned  factory  in  the  Philippines,  Costa  Rica,  Malaysia,  or  China  (Intel) 

Memory 

■ 

i 

* 

South  Korea  (Samsung),  Taiwan  (Nanya),  Germany  (Infineon),  or  Japan  (Elpida) 

Graphics  Card 

9 

1 

China  (Foxconn),  or  Taiwanese-owned  factory  in  China  (MSI) 

Cooling  fan 

m 

Taiwan  (CCI  and  Auras) 

Motherboard 

1 

1 

>: 

Taiwan  (Compal  and  Wistron),  Taiwanese-owned  factory  in  China  (Quanta),  or  South  Korean-owned  factory  in 
China  (Samsung) 

Keyboard 

»  Hi  Ml 

Japanese  company  in  China  (Alps),  or  Taiwanese-owned  factory  in  China  (Sunrex  and  Darfon) 

LCD 

South  Korea  (Samsung,  LG. Philips  LCD),  Japan  (Toshiba  or  Sharp),  or  Taiwan  (Chi  Mei  Optoelectronics, 
Hannstar  Display,  or  AU  Optronics) 

Wireless  Card 

Taiwan  (Askey  or  Gemtek),  American-owned  factory  in  China  (Agere)  or  Malaysia  (Arrow),  or  Taiwanese-owned 
factory  in  China  (USI) 

Modem 

■ 

■ 

China  (Foxconn),  or  Taiwanese  company  in  China  (Asustek  or  Liteon) 

Battery 

E3  *  ft  M  FH  I  I 

pk  American-owned  factory  in  Malaysia  (Motorola),  Japanese  company  in  Mexico,  Malaysia,  or  China  (Sanyo),  or 
South  Korean  or  Taiwanese  factory  (SDI  and  Simplo) 

Hard  Disk  Drive 

p_j  *  —  =  m 

American-owned  factory  in  Singapore  (Seagate),  Japanese-owned  company  in  Thailand  (Hitachi  or  Fujitsu),  or 
Japanese-owned  company  in  the  Philippines  (Toshiba) 

CD/DVD 

“  3|  H  “ 

South  Korean  company  with  factories  in  Indonesia  and  Philippines  (Samsung),  Japanese-owned  factory  in 

China  or  Malaysia  (NEC),  Japanese-owned  factory  in  Indonesia,  China,  or  Malaysia  (Teac),  or  Japanese-owned 
factory  in  China  (Sony) 

Notebook  Carrying 
Bag 

[■■■ 

Irish  company  in  China  (Tenba),  or  American  company  in  China  (Targus,  Samsonite,  and  Pacific  Design) 

Power  Adapter 

=  m  n  e_j  ■ 

Thailand  (Delta),  or  Taiwanese-,  South  Korean-,  or  American-owned  factory  in  China  (Liteon,  Samsung,  and 
Mobility) 

Power  Cord 

m--  m  ™  z 

British  company  with  factories  in  China,  Malaysia,  and  India  (Volex) 

Removable 

Memory  Stick 

Israel  (M-System),  or  American  company  with  factory  in  Malaysia  (Smart  Modular) 
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Technology  Is  A  Focal  Point  Of  Attacks 


Who  is 
behind  data 
breaches? 

74%  resulted  from  external  sources  (+1%). 

20%  were  caused  bv  insiders  (+2%). 

1  32%  implicated  business  partners  (-7%). 

39%  involved  multiple  parties  (+9%). 

How  do 

breaches 

occur? 

7%  were  aided  by  significant  errors  (<>). 

64%  resulted  from  hacking  (+5%). 

|  38%  utilized  malware  (+7%. 

22%  involved  privilege  misuse  (+7%). 

9%  occurred  via  physical  attacks  (+7%). 

*  Source  -  2009  Verizon  Data  Breach  Investigations  Report 


According  to  an  article  in  the  May  2010 
National  Defense  Magazine,  well  funded 
nation  states  and  terrorist  organizations 
are  engaging  in  cyber  attacks  against  US 
government  systems.  Examples  of  those 
include  44,000  Turkish  teenagers  in  a 
military  style  community  of  hackers 
learning  from  each  other. 

There  are  also  100,000  hackers  learning 
from  each  other  in  Saudi  Arabia,  40,000 
in  Iraq,  and  over  400,000  in  China. 
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Today’ s  Reality  of  our  Increased  Dependency  Requires  an 
Increased  Confidence  in  our  ICT 


►  Dependencies  on  technology  are 
greater  then  ever 

►  Possibility  of  disruption  is  greater 
than  ever  because  hardware/ 
software  is  vulnerable 

►  Loss  of  confidence  alone  can 
lead  to  stakeholder  actions  that 
disrupt  critical  business  activities 


•  Water 

•  Agriculture  and  Food 

•  Public  Health 

•  Energy 

•  Telecommunications 

•  Transportation 

M 

^  Banking  and  Finance 

•  Chemical  Industry 

h*  Key  Assets 

•  Postal  and  Shipping 

1  *  * 

Critical  Infrastructure  /  Key  Resources 


Railroad  Tracks 

Highway  Bridges 

Pipelines 

Ports 

Cable 

Fiber 


Reservoirs  Treatment  plants 
Farms 

Food  Processing  Plants 
Hospitals 
Power  Plants 
Production  Sites 


FDIC  Institutions 
Chemical  Plants 
Delivery  Sites 
Nuclear  power  plants 
Government  Facilities 
Dams 


Physical  Infrastructure 


Services 

•  Managed  Security 

*  Information  Services 

Control  Systems 

•  SCADA 

•  PCS 

•  DCS 


Software 

•  Financial  Systems 

•  Human  Resources 


Hardware 

•  Database  Servers 

•  Networking  Equipment 
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Internet 

•  Domain  Name  System 

•  Web  Hosting 


Cyber  Infrastructure 


Increased  Priority  for  Program  Protection 

►  Threats :  Nation-state,  terrorist,  criminal,  rogue  developer  who: 

-  Gain  control  of  systems  through  supply  chain  opportunities 

-  Exploit  vulnerabilities  remotely 

►  Vulnerabilities :  All  systems,  networks,  applications 

-  Intentionally  implanted  logic  (e.g.,  back  doors,  logic  bombs,  spyware) 

-  Unintentional  vulnerabilities  maliciously  exploited  (e.g.,  poor  quality  or  fragile 


code) 


►  Consequences :  Stolen  critical  data  &  technology;  corruption,  denial  of  critical 
warfighting  functionality 

Today’s  acquisition  environment  drives  the  increased  emphasis: 


Then 


Now 

Networked  systems 
Software-intensive 

Prime  Integrator,  hundreds  of  suppliers 


Standalone  systems  »> 

Some  software  functions  »> 
Known  supply  base  »> 


»> 


Source:  Source:  September  28,  2010  SwA  Forum,  DoD  Trusted  Defense  Systems,  Ms.  Kristen  Baldwin,  DDR&E/Systems  Engineering 


“Maryland  Man  Sentenced  to  84  Months  in  Prison  for 
Defrauding  Cisco  Systems  Inc.  ” 


INCIDENT: 

Chinasa  manufactured  counterfeit  computer  networking 
and  telecommunications  equipment.  He  or  Chambliss 
would  then  contact  Cisco,  falsely  claiming  that  they 
were  having  trouble  with  a  Cisco  product  covered  by  a 
warranty.  Cisco  would  issue  replacement  parts,  but  its 
warranty  required  return  of  the  allegedly  defective 
product.  To  satisfy  that  return  policy,  Chinasa  and 
Chambliss  would  send  their  counterfeit  product  to 
Cisco. 


MITIGATION: 

Iheanyi  Frank  Chinasa,  39,  of  Gaithersburg,  Md.,  and 
Chambliss,  31,  of  Henrico,  Va.,  were  indicted  on  Aug. 
18,  2010.  Chambliss  pleaded  guilty  on  Jan.  12,  2011, 
to  conspiring  to  commit  mail  fraud  and  wire  fraud. 
Chambliss  was  sentenced  on  April  1 3,  201 1 ,  to  1 2 
months  and  one  day  in  prison  and  ordered  to  pay 
$18,761,825  in  restitution.  Chinasa  was  sentenced  to 
84  months  in  prison  for  his  participation  in  a  scheme  to 
defraud  Cisco  Systems  Inc., 


IMPACT: 

Cisco  was  defrauded  of  over  $27  million  in  assets  and 
impacted  consumer  reliability. 


Cisco  Systems 


http://richmond.fbi.gov/dojpressrel/pressrel11/ri050511.htm 
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“U.S.  charges  Florida  pair  with  selling  counterfeit  computer 
chips  from  China  to  the  U.S.  Navy  and  military” 


INCIDENT: 


IMPACT: 


On  September  14,  2010  Federal  prosecutors  in 
Washington  unsealed  charges  accusing  a  Florida  pair 
of  selling  more  than  59,000  counterfeit  computer 
microchips  from  China  to  the  U.S.  Navy  and  other 
clients  for  military  use  aboard  American  warships, 
fighter  planes,  missile  and  antimissile  systems.  Wren, 
owner  of  VisionTech  Components  and  related 
companies,  and  McCloskey,  an  administrator,  were 
charged  with  conspiracy,  trafficking  in  counterfeit 
goods  and  mail  fraud. 


The  case  marked  the  latest  effort  by  U.S.  authorities  to 
stem  the  flow  of  fake  electronics  into  the  U.S.  military 
supply  chain,  as  warnings  mount  that  fake  chips  could 
be  defective  or  "electronic  Trojan  horses"  that  would 
allow  hackers  to  disable  them  or  track  their  use.  Several 
recent  government  reports  warn  that  computer  chips 
marked  with  false  brands  or  mislabeled  as  military-grade 
may  include  imperfections  that  could  cripple  or  degrade 
weapons  systems  in  combat  or  over  time. 


MITIGATION: 

In  January  the  Commerce  Department  reported  that 
the  number  of  counterfeit  incidents  discovered  by  the 
military  and  its  suppliers  more  than  doubled  between 
2005  to  2008,  to  more  than  9,356  cases.  Meanwhile, 
lawmakers  and  congressional  investigators  have  called 
on  the  Pentagon  and  law-enforcement  agencies  to 
combat  the  problem  more  aggressively. 


http://www.washingtonpost.com/wp- 
dyn/content/article/201 0/09/1 4/AR201 0091 406468.html 
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“California  MVP  MICRO,  INC.  Owner  pleads  guilty  in 
connection  with  sales  of  counterfeit  high  tech  parts  to  the  U.S 
Military” 


INCIDENT: 


IMPACT: 


On  January  14,  2010  Mustafa  Abdul  Aljaff,  30,  of 
Newport  Coast,  California,  plead  guilty  to  Counts  One 
and  Six  of  an  Indictment  charging  him  and  others  with 
conspiracy  to  traffic  in  counterfeit  computer  chips. 
Aljaff  and  others  entered  into  contracts  with  the  U.S. 
Navy  and  other  government  agencies  for  the  sales  of 
integrated  circuits.  Subsequently,  they  shipped 
integrated  circuits  bearing  false,  counterfeit 
trademarks  to  the  U.S.  Navy,  in  Washington,  D.C 


Integrated  circuits  are  used  in  a  wide  array  of  modern 
electronic  products  including  consumer  electronics  and 
transportation,  medical,  aircraft,  spacecraft,  and  military 
applications.  The  use  of  counterfeit  integrated  circuits 
can  result  in  product  malfunction  or  failure,  and  can  also 
cause  serious  bodily  injury  from  electrocution  and,  in 
some  circumstances,  death.  Counterfeit  goods  creates 
a  risk  to  public  safety  and  national  security. 


MITIGATION: 

The  collaborative  efforts  of  Immigration  Customs 
Enforcement  (ICE),  Naval  Criminal  Investigative 
Service  (NCIS),  Washington,  D.C.,  Special  Agent  in 
Charge  Andre  Martin,  Internal  Revenue  Service  (IRS), 
and  Office  of  Inspector  General  (DOT  OIG).  These 
organizations  continue  to  aggressively  pursue 
individuals  and  organizations  engaging  in  intellectual 
property  rights  crimes. 


http://www.iacc.org/news-media-resources/news- 

archive/california-mvp-micro-inc-owner-pleads-guilty.php 
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Why  is  ICT  SCRM  standardization  Important  to  the  USG? 


“CNCI-SCRM  is  multi-pronged  approach  for  global  supply 
chain  risk  management.  ...Managing  this  risk  will  require  a 
greater  awareness  of  the  threats,  vulnerabilities,  and 
consequences  associated  with  acquisition  decisions;  the 
development  and  employment  of  tools  and  resources  to 
technically  and  operationally  mitigate  risk  across  the  lifecycle 
of  products  (from  design  through  retirement);  the  development 
of  new  acquisition  policies  and  practices  that  reflect  the 
complex  global  marketplace;  and  partnership  with  industry  to 
develop  and  adopt  supply  chain  and  risk  management 

standards  and  best  practices.” 
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ICT  Supply  Chain  Risk  Management  requires  contributions  and 
collaboration  among  many  disciplines  with  recognized  standards 


•ISO/IEC  27005  (Risk 
Management:  Information 
Security) 

•ISO/IEC  16085 

(Risk  Management:  Life  Cycle 

Processes ) 

•ISO/IEC  31000  (Risk 
Management:  Principles  and 
Guidelines) 


•ISO/IEC  20000 
(IT  Service  Management) 
•Resiliency  Management 
Model  (RMM) 


•ISO/IEC/IEEE  15288  (Systems) 
•ISO/IEC15026  (Systems  Assurance) 

•IEEE  1062  (Software  Acquisition) 

•Capability  Maturity  Model  Integration  (CMMI) 


sU 

Systems 

Engineering 

ICT  Supply 

Chain 

o. 

Assurance 

\ 

\ 


zi- 


Supply  Chain 
& 

Logistics 


% 

-A 

2. 


•ISO/IEC  28000  (Supply 
Chain  Resiliency) 


•ISO/IEC  27036  (Information 
Security  for  Supplier 
Relationships) 

•ISO/IEC  27000  Family 
(Information  Security 
Management  Systems) 
•Common  Criteria 


•OSAMM 

•BSIMM 

•Microsoft  Secure  Development 
Lifecycle 

•ISO/IEC  27034  (Guidelines  for 
Application  Security) 

•ISO/IEC  TR  24772  (Programming 
Language  Vulnerabilities) 


ICT  Supply  Chain  Assurance:  An  IATAC  State-of-the-Art 
Report 


The  following  link  is  available  to  personnel  accessing  from 
within  a  .mil  or  .gov  domain: 

URL:  http://iac.dtic.mil/iatac/pdf/supplv  chain.pdf 

You  may  also  contact  IATAC  directly  to  obtain  access  to  this 
report.  The  easiest  way  for  you  and  the  IATAC  team  to  get 
you  the  report  is  for  you  to 

Information  Assurance  Technology  Analysis  Center 
(IATAC) 

Email:  iatac@dtic.mil 


URL:  http://iac.dtic.mil/iatac/ 


National  Defense  Industrial  Association  Guidebook  on 
Engineering  for  System  Assurance 

►  Intended  to  supplement  the  knowledge  of  systems  (and  software)  engineers  who 
have  responsibility  for  systems  for  which  there  are  assurance  concerns 

►  General  Guidance  mapped  to  ISO/I  EC/IEEE  15288,  System  Life  Cycle  Processes 

-  DoD  Specific  Guidance,  mapped  to  DoD  Acquisition  Life  Cycle 

-  Anti-Tamper 

-  DAG  Lifecycle  Framework 

-  Technology  Development  Phase 

-  System  Development  &  Demonstration  Phase 

-  Production,  Deployment,  Operations,  &  Support  Phases 

-  Supporting  Processes 

-  Periodic  Reports 

-  Supplier  Assurance 

-  Mappings 

-  Correspondence  with  Existing  Documentation,  Policies,  and  Standards 

-  Executive  Policy,  Services  Standards,  NIST/NSA  (NIAP) 

Standards,  GEIA,  AIA,  IEEE,  ISO  Standards,  Best  Practice 
(e.g.,  DHS/DOD  SwABOK) 

-  Adopted  as  NATO  AEP-67,  Engineering  for  System  Assurance  in  NATO 
Programmes,  February  2010 


Engineering  for 
System  Assurance 

Version  1.0 

National  Defense  Industrial  Association 
System  Assurance  Committee 


http://www.acq.osd.mil/sse/docs/ 

SA-Guidebook-vl  -Qct2008.pdf 


Courtesy  of  Paul  Croll,  IEEE 


Countering  Counterfeits  Strategic  Concept 


Counterfeits 


Number  of  Known 
Counterfeits 
Is  Increasing 


7W< 


From 
o  Major 
ources 


Countering 
Counterfeits 
(C2T2) 
Activities 


Law 

Policy  &  Guidance 
Process  ->  from  fault/failures  to  T&E 
for  counterfeit  assessment 
People->  Training  &  Education 
Technology  ->  R&D  /  S&T 
(Knowledge  ->  Leadership) 


SCRM 
Activities 


Courtesy  of  Don  Davidson,  OSD  TMSN  .Chief  of  Outreach  and  Standardization 


DoD  SCRM  Pilot  Program  Objectives 


►  Enhance  the  capacity  to  produce  and  use  supplier  threat  information 

►  Define  and  incrementally  implement  SCRM  capability 

-  Ensure  DoD  capability  aligns  with  evolving  federal  capability 

►  Gather  lessons  learned 

►  Identify  changes  needed  to  policy,  guidance,  and  statute 

-  Proposed  gap-fillers  (e.g.,  SCRM  technical  controls,  OMB  Guidance,  DoD  procurement 
guidance) 

►  Create  infrastructure  for  supporting  SCRM  across  DoD 

-  Toolkit  of  key  practices,  supporting  instructions  and  TTPs,  and  possible  mitigations 

►  Identify  capability  scaling  factors  and  sensitivities 


DoD  SCRM  Pilot  Capability 


►  Established  all-source  threat  assessment  capability  at  DIA 

►  Established  SCRM  Center  of  Excellence  in  each  Military  Service 

►  SCRM  Key  Practices  Guide 


Existing  Counterintelligence  Support  & 
Acquisition  Risk  Management  Activities 


FBI  ARD 
Liaison 


DNI  Acquisition  Risk 
Directorate  (ARD) 

DoD  ARD  Liaison 


NSA  ARD 
Liaison 


I 


DIA  SCRM  Threat  Assessment  Center 


Management/Admin  - 1 —  Plans  &  Strategy 


All-source  Threat 
Assessments 


Threat  Mitigation 
Support 


Completed  over  30  DoD  SCRM  Pilot  Projects 


►  Army 

-  Ground  Soldier  Ensemble 

-  Sky  Warrior  /  One  System  Ground  Control  Station 
Program 

-  Program  Executive  Office,  Enterprise  Information 
Systems  (PEO  EIS) 

-  Program  Executive  Office  Command  Control 
Communications  Tactical  (PEO  C3T) 

-  Intelligence,  Electronic  Warfare  &  Sensors 
(IEWS) 

-  Ground  Combat  Vehicle 


Navy 

-  Joint  Stand  Off  Weapon  (JSOW-C) 

-  OBI  Integrated  Network  Security  Levels 
(OBINSL) 

-  Joint  Services  IT  Equipment  Commodity  Strategy 
(JSIECS) 

ASD/NII 

-  National  and  Nuclear  Command  Capabilities 
(N2CC) 


►  Air  Force 

-  ESSG  Software  Buys 

-  Air  Force  Smart  Operations  for  the  21  st  Century 
(AFS021)  Hardware  Buys 


DoD  SCRM  Pilot  Projects  Findings 


►  SCRM  is  an  essential  element  of  acquisition,  systems  engineering  and  sustainment  and  must 
be  appropriately  staffed  and  funded 

►  Need  for  an  enterprise  governance  of  SCRM  issues  and  mitigations 

►  Processes  must  evolve  to  include  trust  assumptions  that  are  valid  in  a  global  supply  chain 

►  Technology  solutions  to  enhance  trust  and  reduce  risk  to  support  SCRM  have  not  been  fully 
examined  or  implemented  within  the  DoD 

►  Legal  and  contractual  methods  are  needed  to  avoid  those  suppliers  determined  to  present 
elevated  supply  chain  risk,  in  addition  to  legislative  and  regulatory  guidance  for  managing 
supply  chain  risk 

►  DoD  policies  are  insufficient  to  address  SCRM  issues 


What’s  Next  for  DoD  SCRM  Pilot  Program 


►  Formal  release  of  the  SCRM  Pilot  Report  and  Findings 

►  Further  integration  of  Test  and  Evaluation  (T&E)  capability  in  SCRM  infrastructure 

►  Expand  SCRM  Pilots  into  the  DoD  Agencies 

►  Formalize  SCRM  Practices  across  all  DoD  Programs 

►  Introduce  SCRM  at  beginning  of  Acquisition  Lifecycle 

-  Indentify  vulnerabilities  and  threats  early 

-  Develop  mitigation  strategies  before  impact  cost,  schedule  and  performance 

-  Integrate  SCRM  as  an  iterative  process  that  matures  as  program  matures 


A  collaborative  landscape  exists  to  share  best  practices  and 
lessons  learned  across  government  and  industry 


US  has  vital  interest  in  the  global  supply  chain. 


Other  Users 


DHS  &  IA 


Commercial 

Industry 


SCRM  "commercially 
acceptable  global 
standard(s)" 
must  be  derived  from 
Commercial  Industry  Best 
Practices. 


COTS 


Courtesy  of  Don  Davidson,  OSD  TMSN  .Chief  of  Outreach  and  Standardization 


SAFECode  (www.safecode.org) 


►  SAFECode  is  a  global,  industry-led  effort  to  identify  and 
promote  best  practices  for  developing  and  delivering 
more  secure  and  reliable  software,  hardware  and 
services 

►  White  papers 

-  Software  Assurance:  An  Overview  of  Current 
Industry  Best  Practices 

-  Fundamental  Practices  for  Secure  Software 
Development 

-  Security  Engineering  Training:  A  Framework  for 
Corporate  Training  Programs  on  the  Principles  of 
Secure  Software  Development 

-  Framework  for  Software  Supply  Chain  Integrity 

-  Software  Integrity  Controls:  An  Assurance-Based 
Approach  to  Minimizing  Risks  in  the  Software  Supply 
Chain 
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Describing  the  Software  Supply  Chain 


►  Sophisticated  IT  solutions  are  composed  of  a  collection  of  components 


►  Each  component  or  its  parts  can  be: 

-  Developed  by  its  supplier  or  on  that  supplier’s 
behalf  by  their  subcontractors;  or 

-  Licensed  to  the  supplier  by  another  vendor  or 
obtained  from  Open  Source  repositories;  or 

-  Acquired  outright  by  the  supplier 


Supplier 

Sourcing 

•  Procurement 


Product  Development 
and  Testing 

•  Environment 

•  Personnel 

•  Software  Development 


Product 

Delivery 

•  Distribution 

•  Maintenance 


►  Regardless  of  the  development  scenario,  each  software 
supplier  in  the  supply  chain  must  manage  three  sets  of  controls: 

-  1 .  Supplier  Sourcing  —  Select  the  suppliers,  establish  the  specification  for  the  supplier’s 
deliverables,  and  receive  software/hardware  deliverables  from  the  suppliers; 

-  2.  Product  Development  and  Testing  —  Build,  assemble,  integrate  and  test  components  and 
finalize  for  delivery;  and, 

-  3.  Product  Delivery  —  Deliver  and  maintain  their  product  components  to  their  customer. 


Source  -  SAFECode:  Framework  for  Software  Supply  Chain  Integrity 
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Software  Supply  Chain  Staircase 

►  Figuratively,  an  IT  solution  supply  chain  can 
resemble  a  collection  of  staircases  involving 
the  successive  transmission  of  software 
components  from  a  supplier  to  its  customer 


►  In  this  figure,  components  move  along  the 
“staircase”  supply  chain  as  they  are  handed 
off  from  one  supplier  to  the  next.  At  each  step 
a  supplier  controls  three  links  in  the  supply 
chain: 


1 .  Goods  received  from  suppliers; 

2.  Their  product  production;  and 

3.  What  is  delivered  to  their 
customers 


Supplier  Prod 

Sourcing  Delft 


Source  -  SAFECode:  Framework  for  Software  Supply  Chain  Integrity 


Customer 


It 


Tier  1  Software 


Supplier  Prodi:t 


Supplier 


j 


Integrator 


• - ■ 

JL  Tier  2  Supplier 


Software  Supply  Chain  Staircase 
^  Acceptance  Test 


Release  Test 


Project  Lifecycles 


Fundamental  Software  Supply  Chain 
Integrity  Controls 


►  Software  supply  chain  integrity  controls  address  the  access,  storage  and  handling  of 
development  assets  throughout  the  supply  chain  -  supplier  sourcing,  product  development  and 
testing,  and  product  delivery. 

►  Some  fundamental  software  supply  chain  integrity  controls,  derived  from  established  security 
and  integrity  principles,  include: 


Control  Title 

Description 

Chain  of  Custody 

The  confidence  that  each  change  and  handoff  made  during  the  source  code’s  lifetime  is 
authorized,  transparent  and  verifiable 

Least  Privilege  Access 

Personnel  can  access  critical  data  with  only  the  privileges  needed  to  do  their  jobs. 

Separation  of  Duties 

Personnel  cannot  unilaterally  change  data,  nor  unilaterally  control  the  development  process 

Tamper  Resistance  and  Evidence 

Attempts  to  tamper  are  obstructed,  and  when  they  occur  they  are  evident  and  reversible. 

Persistent  Protection 

Critical  data  is  protected  in  ways  that  remain  effective  even  if  removed  from  the 
development  location. 

Compliance  Management 

The  success  of  the  protections  can  be  continually  and  independently  confirmed 

Code  Testing  and  Verification 

Methods  for  code  inspection  are  applied  and  suspicious  code  is  detected. 

Source  -  SAFECode:  Framework  for  Software  Supply  Chain  Integrity 
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NIST  IR  7622,  Piloting  Supply  Chain  Risk  Management  for 
Federal  Information  Systems 


►  Initially  based  on  DoD  ICT  SCRM  Key  Practices  document  and  developed  in  close  collaboration  with  the 
industry 

►  Introduces  the  notion  of  supply  chain  players 

-  Acquirer  -  For  this  document,  the  acquirer  is  always  a  government  agency  (including  those  agencies 
taking  on  the  role  of  integrator). 

-  Integrator  -  A  third-party  organization  that  specializes  in  combining  products/elements  of  several 
suppliers  to  produce  elements  (information  systems). 

-  Supplier  -  Third-party  organization  providing  individual  elements.  Synonymous  with  vendor  and 
manufacturer;  also  applies  to  maintenance/disposal  service  providers 

►  Lays  out  pre-requisites  of  being  able  to  address  ICT  SCRM  challenge 

►  States  specific  practices  that  are  consistent  with  DoD  guidance  and  ISO  frameworks 

►  Publication  schedule: 

-  2nd  draft  mid-year 

-  Workshop  to  discuss  government  and  industry  comments 

-  Final  by  the  end  of  201 1 

-  Serve  as  the  basis  for  a  special  publication,  release  date  TBD 
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I 


Table  Of  Contents 


►  Globalization  Challenges 

►  Understanding  The  Problem 

►  DOD  Tool  Box  for  SCRM 

►  Working  Towards  A  Solution 


The  ICT  SCRM  Standard  Development  Organization  Landscape 

il  Active  ICT  SCRM  Standard  Development 
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ISO/IEC  27036:  Information  technology  -  Security  techniques  - 
Information  Security  for  Supplier  Relationships 


►  Scope:  This  international  standard  covers  information  security  in  relationships  between  acquirers  and 
suppliers  to  provide  appropriate  information  security  management  for  all  parties.  In  particular,  it  also 
includes  management  of  information  security  risks  related  to  these  relationships. 

►  The  standard  will  be  subdivided  into  the  following  parts: 

-  Part  1  -  Overview  and  Concepts 

-  Part  2  -  Common  Requirements 

-  Part  3  -  Guidelines  for  ICT  Supply  Chain 

-  Part  4  -  Guidelines  for  Outsourcing 

►  Contributed  relevant  industry  documents 

-  The  Software  Supply  Chain  Integrity  Framework,  Software  Assurance  Forum  for  Excellence  in  Code 
(SAFECode) 

-  Software  Integrity  Controls:  An  Assurance-Based  Approach  to  Minimizing  Risks  in  the  Software 
Supply  Chain,  Software  Assurance  Forum  for  Excellence  in  Code  (SAFECode) 

-  Software  Supply  Chain  Security ,  Microsoft;  16  slides,  was  briefed  by  Chris  Fagan,  Microsoft  to  CS1  and 
ISO;  Chris  Fagan  was  a  key  contributor  to  the  SAFECode  documents,  as  well  as  active  participant  in 
TTPF  work 

-  NIST  IR  7622,  Piloting  Supply  Chain  Risk  Management  for  Federal  Information  Systems,  NIST 
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What  is  the  Problem  and  Gaps  We  Are  Trying  to  Address? 


Problem 

►  Information  and  Communication  Technology  (ICT) 
products  are  assembled,  built,  and  transported  by 
multiple  vendors  around  the  world  before  they  are 
acquired  without  the  knowledge  of  the  acquirer 

►  Abundant  opportunities  exist  for  malicious  actors  to 
tamper  with  and  sabotage  products,  ultimately 
compromising  system  integrity  and  operations 
evidenced  by  multiple  recently  publicized 
incidents  (counterfeit  hardware  sold  to  government 
agencies) 

►  Organizations  acquiring  hardware,  software,  and 
services  are  not  able  to  understand  and  manage  the 
security  risks  associated  with  the  use  of  these 
products  and  services 


Need 

►  Provide  a  common  language  for  addressing  the 
problem 

►  Provide  a  resource  that  would  help  acquirers 
articulate  requirements  to  product  and  service 
providers  and  monitor  implementation  in  a 
recognizable  manner  that  is  vetted  internationally 

-  Increase  confidence  in  acquired  products  and  services 
from  security  risk  point  of  view 

-  Create  a  common  language  to  articulate  expectations 
regarding  security  risks  associated  with  product  and 
service  acquisition 

►  Provide  a  resource  that  would  help  product  and 
service  providers  demonstrate  responsible 
practices,  regardless  of  where  they  are  located 


Courtesy  of  Nadya  Bartol,  Booz  Allen  Hamilton 


The  Open  Group 

Trusted  Technology  Provider  Framework  (TTPF) 

Purpose 

Identify  and  gain  consensus  on  common  processes,  techniques,  methods,  product  and  system 
testing  procedures,  and  language  to  describe  and  guide  product  development  and  supply  chain 
management  practices  that  can  mitigate  vulnerabilities  which  could  lead  to  exploitation  and 
malicious  threats  to  product  integrity. 

Objectives 

•  Identify  product  assurance  practices  that  should  be  expected  from  all  commercial 
technology  vendors  based  on  the  baseline  best  practices  of  leading  trusted  commercial 
technology  suppliers 

•  Help  establish  expectations  for  global  government  and  commercial  customers  when  seeking 
to  identify  a  trusted  technology  supplier 

•  Leverage  existing  globally  recognized  information  assurance  practices  and  standards 

•  Share  with  commercial  technology  consumers  secure  manufacturing  and  trustworthy 
technology  supplier  best  practices 

•  Harmonize  language  used  to  describe  best  practices 

Source:  Source:  September  28,2010  SwA  Forum,  DoD  Trusted  Defense  Systems,  Ms.  Kristen  Baldwin,  DDR&E/Systems  Engineering 
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What’s  next? 


►  Continued  collaboration  to: 

-  Reach  and  enable  program  teams 

-  Reach  and  enable  executives 

-  Develop  and  promote  resources  for  us  by  program  teams  and 
executives 


►  Participation  in  international  standardization  efforts 

-  SC7  TAG  intersections  through  your  SC7  TAG 

-  CS1/SC27 

-  IEEE  representative  to  the  SC7  TAG 

-  SC22 
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►  Participation  through  the  SwA  Working  Groups  and  Forum 


►  Participation  through  the  newly  formed  NDIA  Cyber  Division 


Systems 

Engineering 


ICT  Supply 
Chain 
Assurance 


Supply  Chain 
& 

Logistics 


►  Stay  Tuned  ... 


Michele  Moss 

Lead  Associate 

Booz  |  Alien  j  Hamilton 


Booz  Allen  Hamilton  Inc. 
8283  Greensboro  Dr 
McLean,  VA  22102 
703-377-1254 
moss_michele@bah.com 


